>>Hello all, >> >>something I do not understand .. I plan enabling ICP between my squid >proxy web caches hosted in internal lan area and my internet gateways >hosted in dmz >area. >> >>Everything seem to work correctly, I see the ICP packets exchanged >between all devices except I always receive this type of error message >... >> >> 2009/04/27 16:59:27| temporary disabling (Forbidden) digest from >10.66.9.193 >> >>Let we have a look on the configs in place ... All package installed >are compiled with '--enable-cache-digests'. >> >>Squid (2.6.12 & 2.7.4) dmz internet gateways config ... >> >>icp_port 3130 >>log_icp_queries off >>icp_hit_stale off >>icp_access allow srcip_internalproxies >>icp_access deny all >> >>Squid (2.6.12) internal Proxy web caches config ... >> >>icp_port 3130 >>icp_query_timeout 0 >>maximum_icp_query_timeout 50 # (milliseconds) >>dead_peer_timeout 1 second >>log_icp_queries off >>icp_hit_stale off >>icp_access deny all >> >>cache_peer @my_cache_parent_1@ parent 8080 3130 weight=2 >>cache_peer @my_cache_parent_2@ parent 8080 3130 weight=1 >> >>Is that normal I get this message or is there something I did not >understand with ICP and digest (e.g. not compatible) ?? >> >>Did I forget to add some parameters next to my cache_peer entries (e.g >no-digest ..) ? >> > >any idea ??? I finally found why my client caches cannot get store_digest information from parent caches. This is because client caches receive a 'Forbidden' message when requesting the url http://servername:8080/squid-internal-periodic/store_digest my parent cache config ... ... http_port 127.0.0.1:8080 http_port 1.2.3.4:8080 ... acl localhost src 127.0.0.1/32 acl manager proto cache_object acl connect method CONNECT acl safe_port port 80 acl safe_port port 8080 acl safe_port port 21 acl safe_port port 443 ... http_access allow manager localhost http_access allow manager manager_hosts http_access deny manager http_access allow purge localhost http_access allow purge manager_hosts http_access deny purge http_access allow localhost http_reply_access allow localhost http_access deny connect !SSL http_access deny !safe_port http_access allow srcip_internalproxies http_reply_access allow srcip_internalproxies http_reply_access deny all http_access deny all After many many tries I noticed that denying 'connect' and 'safe_port' access lists at parent caches level blocked the clients so seems that requesting something to port 8080 is forbidden but I got no problem to reach the net ... When going forward into my tests, I just noticed that internal /squid-internal-periodic/ url path is always listening on port 3128 even if squid process is listening on another port like 8080 in my case. In other words if I add 'acl safe_port port 3128' in my parent config and I send the query http://servername:3128/squid-internal-periodic/store_digest, the issue is solved ... Is this some normal behaviour, a bug or did I make something wrong ?? >many thks to help me. >Vincent ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. -----------------------------------------------------------------
